WO2018076365A1

WO2018076365A1 - Key negotiation method and device

Info

Publication number: WO2018076365A1
Application number: PCT/CN2016/104113
Authority: WO
Inventors: 刘复鑫
Original assignee: 美的智慧家居科技有限公司; 美的集团股份有限公司
Priority date: 2016-10-31
Filing date: 2016-10-31
Publication date: 2018-05-03

Abstract

Disclosed are a key negotiation method and device. The method comprises: generating a first random number, and using a first public key of a cloud server to encrypt the first random number and identification information about a terminal device so as to generate a first ciphertext; sending, to the cloud server, a key negotiation request comprising the first ciphertext and a second public key of the terminal device; receiving a key negotiation response comprising a second ciphertext and being sent by the cloud server after using the second public key to encrypt a session key comprising the first random number and after verifying that the terminal device is legitimate; and using a second private key to decrypt the second ciphertext, and when the first random number is obtained, using the session key to encrypt a first character string negotiated with the cloud server in advance, and sending a key acknowledgement response comprising a third ciphertext to the cloud server. By means of the method, two-way identity authentication of a terminal device and a cloud server can be realized, and a reliable and secure connection is established, thereby reducing the cost and improving the security of data transmission, and the method has a high efficiency.

Description

Key negotiation method and device

Technical field

本申请涉及信息安全技术领域，尤其涉及一种密钥协商方法及装置。The present application relates to the field of information security technologies, and in particular, to a key negotiation method and apparatus.

Background technique

通常，SSL(Secure Sockets Layer，安全套接层)作为一种为网络通信提供安全及数据完整性的安全协议，常被用于终端设备在与相关服务器通信时，对通信双方身份的确认，以及为了避免数据的泄漏对通信数据的加密等。Generally, SSL (Secure Sockets Layer) is a security protocol that provides security and data integrity for network communication. It is often used to confirm the identity of the communicating parties when the terminal device communicates with the relevant server, and Avoid data leakage, encryption of communication data, etc.

然而，上述使用SSL协议进行安全服务的方式中，由于SSL内存占用率大，多数终端设备无法运行SSL，且SSL在进行服务的过程中，需借助第三方CA公司，操作过于复杂。以及只能对服务器进行身份认证，无法对终端设备进行身份认证，安全性低。However, in the above-mentioned way of using the SSL protocol for security services, most of the terminal devices cannot run SSL because of the large SSL memory usage, and the SSL is required to use a third-party CA company in the process of performing the service, and the operation is too complicated. And the server can only be authenticated, the terminal device cannot be authenticated, and the security is low.

发明内容Summary of the invention

本申请的目的旨在至少在一定程度上解决上述的技术问题之一。The purpose of the present application is to solve at least one of the above technical problems to some extent.

为此，本申请的第一个目的在于提出一种密钥协商方法，该方法可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。To this end, the first object of the present application is to propose a key negotiation method, which can complete the two-way identity authentication of the terminal device and the cloud server, and establish a reliable secure connection, thereby reducing the cost and improving the data transmission. Safe and efficient.

本申请的第二个目的在于提出另一种密钥协商方法。A second object of the present application is to propose another method of key agreement.

本申请的第三个目的在于提出一种密钥协商装置。A third object of the present application is to propose a key agreement apparatus.

本申请的第四个目的在于提出另一种密钥协商装置。A fourth object of the present application is to propose another key agreement apparatus.

本发明的第五个目的在于提出一种设备。A fifth object of the invention is to propose an apparatus.

本发明的第六个目的在于提出另一种设备。A sixth object of the invention is to propose another device.

本发明的第七个目的在于提出一种非易失性计算机存储介质。A seventh object of the present invention is to provide a nonvolatile computer storage medium.

本发明的第八个目的在于提出另一种非易失性计算机存储介质。An eighth object of the present invention is to provide another non-volatile computer storage medium.

为了实现上述目的，本申请第一方面实施例提出了一种密钥协商方法，包括以下步骤：生成第一随机数，应用云端服务器的第一公钥对所述第一随机数和终端设备的标识信息进行加密生成第一密文；向所述云端服务器发送密钥协商请求，其中，所述密钥协商请求包括：所述第一密文和所述终端设备的第二公钥，以便所述云端服务器应用所述第一私钥解密所述第一密文后，根据所述标识信息和所述第二公钥验证所述终端设备的合法性；接收所述云端服务器验证所述终端设备合法后，应用所述第二公钥对会话密钥加密后发送的包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；应用所述第二私钥对所述第二密文进行解密，如果获得所述第一随机数，则应用所述会话密钥对预先与所述云端服务器协商的第一字符串进行加密，向所述云端服务器发送包括所述第三密文的密钥确认响应，以供所述云端服务器应用所述会话密钥对所述第三密文进行解密处理，并根据解密结果中是否包含所述第一字符串确定密钥协商是否成功。In order to achieve the above object, the first aspect of the present application provides a key negotiation method, including the following steps: generating a first random number, applying a first public key of a cloud server to the first random number and a terminal device. The identification information is encrypted to generate a first ciphertext; the key negotiation request is sent to the cloud server, where the key negotiation request includes: the first ciphertext and the second public key of the terminal device, so as to After the first server decrypts the first ciphertext, the cloud server verifies the legality of the terminal device according to the identifier information and the second public key, and receives the cloud server to verify the terminal device. After being legal, the packet sent by encrypting the session key by applying the second public key a key agreement response of the second ciphertext, wherein the session key includes the first random number; applying the second private key to decrypt the second ciphertext, if the first random number is obtained And the first session string negotiated with the cloud server is encrypted by using the session key, and the key confirmation response including the third ciphertext is sent to the cloud server for the cloud server Decrypting the third ciphertext by using the session key, and determining whether the key negotiation is successful according to whether the first string is included in the decryption result.

本申请实施例的密钥协商方法，通过终端设备将加密的第一密文发送至云端服务器，以通过云端服务器对其进行解密并根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。In the key negotiation method of the embodiment of the present application, the encrypted first ciphertext is sent to the cloud server by the terminal device, and is decrypted by the cloud server, and the legality of the terminal device is verified according to the identifier information and the second public key, and The decrypted data is encrypted again, sent to the terminal device, and then decrypted after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

另外，本申请实施例的密钥协商方法，，还具有如下附加的技术特征：In addition, the key negotiation method in the embodiment of the present application further has the following additional technical features:

在本申请的一个实施例中，所述标识信息为所述终端设备的MAC地址；所述密钥协商请求中还包括：所述第一密文的哈希值，以便所述云端服务器应用所述第一私钥解密所述第一密文后，根据所述MAC地址、所述哈希值和所述第二公钥验证所述终端设备的合法性。In an embodiment of the present application, the identifier information is a MAC address of the terminal device, and the key negotiation request further includes: a hash value of the first ciphertext, so that the cloud server application office After decrypting the first ciphertext, the first private key verifies the legality of the terminal device according to the MAC address, the hash value, and the second public key.

在本申请的一个实施例中，所述应用所述会话密钥对预先与所述云端服务器协商的第一字符串进行加密，包括：按照预设周期通过随机数发生器生成预设长度的随机数；将所述随机数与所述第一字符串进行拼接处理生成第二字符串；应用所述会话密钥对所述第二字符串进行加密，向所述云端服务器发送包括所述第三密文的密钥确认响应，以供所述云端服务器应用所述会话密钥对所述第三密文进行解密处理，并根据解密结果中是否包含所述第一字符串确定密钥协商是否成功。In an embodiment of the present application, the applying the session key to encrypt the first character string negotiated in advance with the cloud server, including: generating a random length of a preset length by using a random number generator according to a preset period. Splicing the random number with the first character string to generate a second character string; applying the session key to encrypt the second character string, and transmitting the third character string to the cloud server a key confirmation response of the ciphertext, wherein the cloud server applies the session key to decrypt the third ciphertext, and determines whether the key negotiation is successful according to whether the first string is included in the decryption result. .

为了实现上述目的，本申请第二方面实施例提出了另一种密钥协商方法，包括以下步骤：接收终端设备发送的密钥协商请求，其中，所述密钥协商请求包括：第一密文和终端设备的第二公钥；应用云端服务器的第一私钥解密所述第一密文获取第一随机数和终端设备的标识信息，根据所述标识信息和所述第二公钥查询预存的许可数据库验证所述终端设备的合法性；如果所述许可数据库包括所述标识信息和所述第二公钥，则应用所述第二公钥对会话密钥加密，向所述终端设备发送包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；接收所述终端设备应用所述第二私钥解密所述第二密文获取所述第一随机数后发送的包括第三密文的密钥确认响应，应用所述会话密钥解密所述第三密文获取解密结果；检测所述解密结果中是否包含与所述终端设备预先协商的第一字符串确定密钥协商是否成功。In order to achieve the above object, the second aspect of the present application provides another key negotiation method, including the following steps: receiving a key negotiation request sent by a terminal device, where the key negotiation request includes: a first ciphertext And the second public key of the terminal device; the first private key of the application cloud server is used to decrypt the first ciphertext to obtain the first random number and the identification information of the terminal device, and the pre-stored query is performed according to the identifier information and the second public key. The license database verifies the legality of the terminal device; if the license database includes the identification information and the second public key, applying the second public key to encrypt the session key, and sending the session key to the terminal device a key agreement response including a second ciphertext, wherein the session key includes the first random number; and receiving, by the terminal device, the second private key to decrypt the second ciphertext to obtain the first a key confirmation response including a third ciphertext sent after the random number, applying the session key to decrypt the third ciphertext to obtain a decryption result; and detecting whether the decryption result includes The first string of the pre-negotiated terminal device determines whether the key negotiation is successful.

本申请实施例的密钥协商方法，接收终端设备发送的加密的第一密文，以并对其进行解密再根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The key negotiation method in the embodiment of the present application receives the encrypted first ciphertext sent by the terminal device, decrypts the ciphertext, and then verifies the legality of the terminal device according to the identifier information and the second public key, and performs data decryption. again The encryption is simultaneously sent to the terminal device, and then the terminal device decrypts the second ciphertext after receiving the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

另外，本申请实施例的密钥协商方法，还具有如下附加的技术特征：In addition, the key negotiation method in the embodiment of the present application further has the following additional technical features:

在本申请的一个实施例中，所述应用所述第二公钥对会话密钥加密，包括：生成第二随机数，将所述第二随机数与所述第一随机数进行拼接生成会话密钥；应用所述第二公钥对所述会话密钥加密。In an embodiment of the present application, the applying the second public key to encrypt the session key comprises: generating a second random number, and splicing the second random number with the first random number to generate a session a key; the session key is encrypted by applying the second public key.

为了实现上述目的，本申请第三方面实施例提出了一种密钥协商装置，包括：加密模块，用于生成第一随机数，应用云端服务器的第一公钥对所述第一随机数和终端设备的标识信息进行加密生成第一密文；发送模块，用于向所述云端服务器发送密钥协商请求，其中，所述密钥协商请求包括：所述第一密文和所述终端设备的第二公钥，以便所述云端服务器应用所述第一私钥解密所述第一密文后，根据所述标识信息和所述第二公钥验证所述终端设备的合法性；响应模块，用于接收所述云端服务器验证所述终端设备合法后，应用所述第二公钥对会话密钥加密后发送的包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；解密模块，用于应用所述第二私钥对所述第二密文进行解密，在获得所述第一随机数时，应用所述会话密钥对预先与所述云端服务器协商的第一字符串进行加密，向所述云端服务器发送包括所述第三密文的密钥确认响应，以供所述云端服务器应用所述会话密钥对所述第三密文进行解密处理，并根据解密结果中是否包含所述第一字符串确定密钥协商是否成功。In order to achieve the above object, the third aspect of the present application provides a key agreement apparatus, including: an encryption module, configured to generate a first random number, and apply a first public key of a cloud server to the first random number and The identification information of the terminal device is encrypted to generate a first ciphertext; the sending module is configured to send a key negotiation request to the cloud server, where the key negotiation request includes: the first ciphertext and the terminal device a second public key, after the cloud server applies the first private key to decrypt the first ciphertext, and verifies the legality of the terminal device according to the identifier information and the second public key; And a key agreement response including the second ciphertext sent by the second public key after the second public key is encrypted, and the session key is included, after the cloud server is configured to verify that the terminal device is legal. a first random number; a decryption module, configured to apply the second private key to decrypt the second ciphertext, and when the first random number is obtained, apply the session key pair in advance The first string negotiated by the cloud server is encrypted, and a key confirmation response including the third ciphertext is sent to the cloud server, where the cloud server applies the session key to the third ciphertext. Decryption processing is performed, and whether the key negotiation is successful is determined according to whether the first character string is included in the decryption result.

本申请实施例的密钥协商装置，通过终端设备将加密的第一密文发送至云端服务器，以通过云端服务器对其进行解密并根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The key agreement apparatus of the embodiment of the present invention sends the encrypted first ciphertext to the cloud server through the terminal device, decrypts the cloud file through the cloud server, and verifies the legality of the terminal device according to the identifier information and the second public key, and The decrypted data is encrypted again, sent to the terminal device, and then decrypted after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

另外，本申请实施例的密钥协商装置，还具有如下附加的技术特征：In addition, the key agreement apparatus of the embodiment of the present application further has the following additional technical features:

在本申请的一个实施例中，所述解密模块用于：按照预设周期通过随机数发生器生成预设长度的随机数；将所述随机数与所述第一字符串进行拼接处理生成第二字符串；应用所述会话密钥对所述第二字符串进行加密，向所述云端服务器发送包括所述第三密文的密钥确认响应，以供所述云端服务器应用所述会话密钥对所述第三密文进行解密处理，并根据解密结果中是否包含所述第一字符串确定密钥协商是否成功。In an embodiment of the present application, the decrypting module is configured to: generate a random number of a preset length by using a random number generator according to a preset period; and perform splicing processing on the random number and the first character string to generate a first a second string; the second string is encrypted by applying the session key, and a key confirmation response including the third ciphertext is sent to the cloud server, where the cloud server applies the session secret Decrypting the third ciphertext by the key, and rooting Whether the key negotiation is successful is determined according to whether the first string is included in the decrypted result.

为了实现上述目的，本申请第四方面实施例提出了另一种密钥协商装置，其特征在于，包括：接收模块，用于接收终端设备发送的密钥协商请求，其中，所述密钥协商请求包括：第一密文和终端设备的第二公钥；查询模块，用于应用云端服务器的第一私钥解密所述第一密文获取第一随机数和终端设备的标识信息，根据所述标识信息和所述第二公钥查询预存的许可数据库验证所述终端设备的合法性；第一处理模块，用于在所述许可数据库包括所述标识信息和所述第二公钥时，应用所述第二公钥对会话密钥加密，向所述终端设备发送包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；第二处理模块，用于接收所述终端设备应用所述第二私钥解密所述第二密文获取所述第一随机数后发送的包括第三密文的密钥确认响应，应用所述会话密钥解密所述第三密文获取解密结果；检测模块，用于检测所述解密结果中是否包含与所述终端设备预先协商的第一字符串确定密钥协商是否成功。In order to achieve the above object, the fourth aspect of the present application provides another key agreement apparatus, which includes: a receiving module, configured to receive a key negotiation request sent by a terminal device, where the key negotiation The request includes: a first ciphertext and a second public key of the terminal device; the query module is configured to decrypt the first ciphertext by using the first private key of the cloud server to obtain the first random number and the identifier information of the terminal device, according to the Determining the legality of the terminal device by using the identifier information and the second public key query pre-stored license database; the first processing module is configured to: when the license database includes the identifier information and the second public key, Applying the second public key to encrypt the session key, and sending a key agreement response including the second ciphertext to the terminal device, where the session key includes the first random number; and the second processing module, Receiving a key confirmation response including the third ciphertext sent by the terminal device after the second private key is decrypted by the second private key to obtain the first ciphertext, and applying the conference Decrypting the third ciphertext decryption result acquired; a detection module for detecting whether the decryption result string comprising a first pre-negotiated with the terminal device determines whether the key negotiation is successful.

本申请实施例的密钥协商装置，本申请实施例的密钥协商方法，接收终端设备发送的加密的第一密文，以并对其进行解密再根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The key negotiation apparatus in the embodiment of the present application, the key negotiation method in the embodiment of the present application, receives the encrypted first ciphertext sent by the terminal device, and decrypts the second ciphertext according to the identification information and the second public key. The legality, and the decrypted data is encrypted again, sent to the terminal device, and then decrypted after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

在本申请的一个实施例中，所述第一处理模块用于：生成第二随机数，将所述第二随机数与所述第一随机数进行拼接生成会话密钥；应用所述第二公钥对所述会话密钥加密。In an embodiment of the present application, the first processing module is configured to: generate a second random number, splicing the second random number and the first random number to generate a session key; and applying the second The public key encrypts the session key.

本发明第五方面实施例提供了一种设备，包括：一个或者多个处理器；存储器；一个或者多个程序，所述一个或者多个程序存储在所述存储器中，当被所述一个或者多个处理器执行时，执行以下步骤：生成第一随机数，应用云端服务器的第一公钥对所述第一随机数和终端设备的标识信息进行加密生成第一密文；向所述云端服务器发送密钥协商请求，其中，所述密钥协商请求包括：所述第一密文和所述终端设备的第二公钥，以便所述云端服务器应用所述第一私钥解密所述第一密文后，根据所述标识信息和所述第二公钥验证所述终端设备的合法性；接收所述云端服务器验证所述终端设备合法后，应用所述第二公钥对会话密钥加密后发送的包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；应用所述第二私钥对所述第二密文进行解密，如果获得所述第一随机数，则应用所述会话密钥对预先与所述云端服务器协商的第一字符串进行加密，向所述云端服务器发送包括所述第三密文的密钥确认响应，以供所述云端服务器应用所述会话密钥对所述第三密文进行解密处理，并根据解密结果中是否包含所述第一字符串确定密钥协商是否成功。 An embodiment of the fifth aspect of the present invention provides an apparatus, including: one or more processors; a memory; one or more programs, the one or more programs being stored in the memory when When the plurality of processors are executed, performing the following steps: generating a first random number, encrypting the first random number and the identification information of the terminal device by using the first public key of the cloud server to generate a first ciphertext; and sending the first ciphertext to the cloud The server sends a key negotiation request, where the key negotiation request includes: the first ciphertext and the second public key of the terminal device, so that the cloud server applies the first private key to decrypt the first After the ciphertext, verifying the legality of the terminal device according to the identifier information and the second public key; and after receiving the cloud server to verify that the terminal device is legal, applying the second public key to the session key a key agreement response including a second ciphertext sent after encryption, wherein the session key includes the first random number; and applying the second private key to solve the second ciphertext And if the first random number is obtained, applying the session key to encrypt a first character string negotiated in advance with the cloud server, and sending a key confirmation including the third ciphertext to the cloud server. In response, the cloud server applies the session key to decrypt the third ciphertext, and determines whether the key negotiation is successful according to whether the first string is included in the decryption result.

本申请实施例的设备，通过终端设备将加密的第一密文发送至云端服务器，以通过云端服务器对其进行解密并根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The device in the embodiment of the present application sends the encrypted first ciphertext to the cloud server through the terminal device, decrypts the cloud device through the cloud server, and verifies the legality of the terminal device according to the identifier information and the second public key, and obtains the decryption result. The data is encrypted again, sent to the terminal device, and then decrypted after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

本发明第六方面实施例提供了一种设备，包括：一个或者多个处理器；存储器；一个或者多个程序，所述一个或者多个程序存储在所述存储器中，当被所述一个或者多个处理器执行时，执行以下步骤：接收终端设备发送的密钥协商请求，其中，所述密钥协商请求包括：第一密文和终端设备的第二公钥；应用云端服务器的第一私钥解密所述第一密文获取第一随机数和终端设备的标识信息，根据所述标识信息和所述第二公钥查询预存的许可数据库验证所述终端设备的合法性；如果所述许可数据库包括所述标识信息和所述第二公钥，则应用所述第二公钥对会话密钥加密，向所述终端设备发送包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；接收所述终端设备应用所述第二私钥解密所述第二密文获取所述第一随机数后发送的包括第三密文的密钥确认响应，应用所述会话密钥解密所述第三密文获取解密结果；检测所述解密结果中是否包含与所述终端设备预先协商的第一字符串确定密钥协商是否成功。A sixth aspect of the present invention provides an apparatus, including: one or more processors; a memory; one or more programs, the one or more programs being stored in the memory when When the multiple processors are executed, the following steps are performed: receiving a key negotiation request sent by the terminal device, where the key negotiation request includes: a first ciphertext and a second public key of the terminal device; and a first application cloud server The private key decrypts the first ciphertext to obtain the first random number and the identification information of the terminal device, and queries the pre-stored license database according to the identifier information and the second public key to verify the legality of the terminal device; The license database includes the identifier information and the second public key, and the second public key is used to encrypt the session key, and the key agreement response including the second ciphertext is sent to the terminal device, where The session key includes the first random number; and the receiving, by the terminal device, the second private key is used to decrypt the second ciphertext to obtain the first random number, and the a key confirmation response of the ciphertext, applying the session key to decrypt the third ciphertext to obtain a decryption result; and detecting whether the decryption result includes a first string determined in advance by the terminal device to determine whether the key negotiation is success.

本申请实施例的设备，接收终端设备发送的加密的第一密文，以并对其进行解密再根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The device of the embodiment of the present application receives the encrypted first ciphertext sent by the terminal device, decrypts the ciphertext, and then verifies the legality of the terminal device according to the identifier information and the second public key, and performs the decrypted data again. The encryption is simultaneously sent to the terminal device, and then the terminal device decrypts the second ciphertext after receiving the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

本发明第七方面实施例提供了一种非易失性计算机存储介质，所述计算机存储介质存储有一个或者多个程序，当所述一个或者多个程序被一个设备执行时，使得所述设备执行以下步骤：生成第一随机数，应用云端服务器的第一公钥对所述第一随机数和终端设备的标识信息进行加密生成第一密文；向所述云端服务器发送密钥协商请求，其中，所述密钥协商请求包括：所述第一密文和所述终端设备的第二公钥，以便所述云端服务器应用所述第一私钥解密所述第一密文后，根据所述标识信息和所述第二公钥验证所述终端设备的合法性；接收所述云端服务器验证所述终端设备合法后，应用所述第二公钥对会话密钥加密后发送的包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；应用所述第二私钥对所述第二密文进行解密，如果获得所述第一随机数，则应用所述会话密钥对预先与所述云端服务器协商的第一字符串进行加密，向所述云端服务器发送包括所述第三密文的密钥确认响应，以供所述云端服务器应用所述会话密钥对所述第三密文进行解密处理，并根据解密结果中是否包含所述第一字符串确定密钥协商是否成功。A seventh aspect of the present invention provides a non-volatile computer storage medium storing one or more programs, when the one or more programs are executed by a device, causing the device Performing the following steps: generating a first random number, encrypting the first random number and the identification information of the terminal device by using the first public key of the cloud server to generate a first ciphertext; and sending a key negotiation request to the cloud server, The key negotiation request includes: the first ciphertext and the second public key of the terminal device, so that the cloud server applies the first private key to decrypt the first ciphertext, according to the Determining the legality of the terminal device by using the identifier information and the second public key; after receiving the cloud server to verify that the terminal device is legal, the second public key is used to encrypt the session key and then sent a key agreement response of the ciphertext, wherein the session key includes the first random number; applying the second private key to decrypt the second ciphertext, if obtained The first random number is used to encrypt the first character string negotiated in advance with the cloud server by using the session key, and send a key confirmation response including the third ciphertext to the cloud server for the Decoding the third ciphertext by using the session key by the cloud server Processing, and determining whether the key negotiation is successful according to whether the first string is included in the decrypted result.

本申请实施例的非易失性计算机存储介质，通过终端设备将加密的第一密文发送至云端服务器，以通过云端服务器对其进行解密并根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The non-volatile computer storage medium of the embodiment of the present application sends the encrypted first ciphertext to the cloud server through the terminal device, decrypts the cloud file through the cloud server, and verifies the legality of the terminal device according to the identifier information and the second public key. And encrypting the decrypted data again, sending it to the terminal device, and then decrypting the second ciphertext after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

本发明第八方面实施例提供了一种非易失性计算机存储介质，所述计算机存储介质存储有一个或者多个程序，当所述一个或者多个程序被一个设备执行时，使得所述设备执行以下步骤：接收终端设备发送的密钥协商请求，其中，所述密钥协商请求包括：第一密文和终端设备的第二公钥；应用云端服务器的第一私钥解密所述第一密文获取第一随机数和终端设备的标识信息，根据所述标识信息和所述第二公钥查询预存的许可数据库验证所述终端设备的合法性；如果所述许可数据库包括所述标识信息和所述第二公钥，则应用所述第二公钥对会话密钥加密，向所述终端设备发送包括第二密文的密钥协商响应，其中，所述会话密钥包括所述第一随机数；接收所述终端设备应用所述第二私钥解密所述第二密文获取所述第一随机数后发送的包括第三密文的密钥确认响应，应用所述会话密钥解密所述第三密文获取解密结果；检测所述解密结果中是否包含与所述终端设备预先协商的第一字符串确定密钥协商是否成功。An eighth aspect of the present invention provides a non-volatile computer storage medium storing one or more programs, when the one or more programs are executed by one device, causing the device The following steps are performed: receiving a key negotiation request sent by the terminal device, where the key negotiation request includes: a first ciphertext and a second public key of the terminal device; and decrypting the first by using a first private key of the cloud server Obtaining the first random number and the identification information of the terminal device, and verifying the legality of the terminal device according to the identifier information and the second public key querying the pre-stored license database; if the license database includes the identifier information And the second public key, the second public key is used to encrypt the session key, and the key agreement response including the second ciphertext is sent to the terminal device, where the session key includes the first a random number; receiving a key including the third ciphertext sent by the terminal device after the second private key is decrypted by the second private key to obtain the first random number In response to applying the third session key to decrypt the ciphertext decryption result acquired; detecting whether the decryption result string comprising a first pre-negotiated with the terminal device determines whether the key negotiation is successful.

本申请实施例的非易失性计算机存储介质，接收终端设备发送的加密的第一密文，以并对其进行解密再根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The non-volatile computer storage medium of the embodiment of the present application receives the encrypted first ciphertext sent by the terminal device, decrypts the ciphertext, and then verifies the legality of the terminal device according to the identification information and the second public key, and decrypts the The data is obtained for another encryption, and is simultaneously transmitted to the terminal device, and then decrypted after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

本申请附加的方面和优点将在下面的描述中部分给出，部分将从下面的描述中变得明显，或通过本申请的实践了解到。The aspects and advantages of the present invention will be set forth in part in the description which follows.

DRAWINGS

本申请上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解，其中：The above and/or additional aspects and advantages of the present invention will become apparent and readily understood from

图1是根据本申请一个实施例的密钥协商方法的流程图；1 is a flowchart of a key agreement method according to an embodiment of the present application;

图2是根据本申请另一个实施例的密钥协商方法的流程；2 is a flowchart of a key agreement method according to another embodiment of the present application;

图3是根据本申请一个实施例的密钥协商方法的示意图； FIG. 3 is a schematic diagram of a key agreement method according to an embodiment of the present application; FIG.

图4是根据本申请一个实施例的密钥协商装置的结构示意图；4 is a schematic structural diagram of a key agreement apparatus according to an embodiment of the present application;

图5是根据本申请另一个实施例的密钥协商装置的结构示意图。FIG. 5 is a schematic structural diagram of a key agreement apparatus according to another embodiment of the present application.

detailed description

下面详细描述本申请的实施例，所述实施例的示例在附图中示出，其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的，旨在用于解释本申请，而不能理解为对本申请的限制。The embodiments of the present application are described in detail below, and the examples of the embodiments are illustrated in the drawings, wherein the same or similar reference numerals are used to refer to the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the accompanying drawings are intended to be illustrative, and are not to be construed as limiting.

下面参考附图描述本申请实施例的密钥协商方法及装置。The key negotiation method and apparatus of the embodiment of the present application are described below with reference to the accompanying drawings.

通常，SSL在为网络通信提供安全服务时，在设备端使用CA证书，通过设备的公私钥配对加解密，完成对服务器的认证。Generally, when SSL provides security services for network communication, the CA certificate is used on the device side, and the device is authenticated by encrypting and decrypting the public and private keys of the device.

举例而言，终端设备发送一个连接请求至服务器，服务器将自己的CA证书，以及与CA证书相关的信息发送至终端设备，终端设备检查服务器发送的CA证书是否是由自己信赖的CA中心签发的。For example, the terminal device sends a connection request to the server, and the server sends its own CA certificate and information related to the CA certificate to the terminal device, and the terminal device checks whether the CA certificate sent by the server is issued by the CA center trusted by the server. .

如果是，则继续执行SSL协议，终端设备比较CA证书的信息，比如域名、公钥等信息，与服务器先前发送的相关信息是否一致，只有在信息一致时，认证服务器身份合法。If yes, the SSL protocol is executed. The terminal device compares the information of the CA certificate, such as the domain name and public key, with the information previously sent by the server. The authentication server is legal only when the information is consistent.

进而，在服务器合法时，服务器从终端设备发送过来的密码方案中，选择一种加密程度最高的密码方案，用终端设备的公钥加过密后通知终端设备，终端设备针对该密码方案，选择一个通话密钥，进而使用服务器的公钥加过密后发送给服务器。Further, when the server is legal, the server selects a password scheme with the highest degree of encryption from the password scheme sent by the terminal device, and notifies the terminal device after adding the password of the terminal device, and the terminal device selects the password scheme for the password scheme. A call key, which is then sent to the server using the server's public key.

从而，服务器接收到终端设备发送过来的信息，通过自己的私钥解密获得通话密钥，进而服务器、浏览器根据密码对称方案进行信息交互。Therefore, the server receives the information sent by the terminal device, decrypts the private key to obtain the session key, and the server and the browser exchange information according to the password symmetric scheme.

由此，可以看出在使用SSL协议进行通信时，只能对服务器进行身份认证，无法对终端设备进行身份认证，且SSL相对太过庞大，多数终端设备无法运行SSL,可行性低，并且由于SSL需要借助第三方CA公司，操作过于复杂。以及只能对服务器进行身份认证，无法对终端设备进行身份认证，安全性低。Therefore, it can be seen that when using the SSL protocol for communication, only the server can be authenticated, the terminal device cannot be authenticated, and the SSL is relatively too large. Most terminal devices cannot run SSL, which is low in feasibility and SSL requires the help of a third-party CA company, and the operation is too complicated. And the server can only be authenticated, the terminal device cannot be authenticated, and the security is low.

为了解决上述问题，本申请提出了一种密钥协商方法，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。具体如下：In order to solve the above problem, the present application proposes a key negotiation method, which can complete the two-way identity authentication of the terminal device and the cloud server, and establish a reliable secure connection, thereby reducing the cost, which improves the security and efficiency of data transmission. high. details as follows:

图1是根据本申请一个实施例的密钥协商方法的流程图。1 is a flow chart of a method of key agreement in accordance with one embodiment of the present application.

如图1所示，该密钥协商方法包括：As shown in FIG. 1, the key negotiation method includes:

步骤110，生成第一随机数，应用云端服务器的第一公钥对第一随机数和终端设备的标识信息进行加密生成第一密文。Step 110: Generate a first random number, and apply the first public key of the cloud server to encrypt the first random number and the identification information of the terminal device to generate a first ciphertext.

具体地，可以通过随机数发生器生成预设长度的第一随机数。其中，预设长度可以根据需要进行设置，例如5个字符串、10个字符串等。其中，随机数可以是字母、数字和特殊符号等中的一种或者多种。Specifically, the first random number of the preset length may be generated by the random number generator. Where the preset length can be rooted Set as needed, such as 5 strings, 10 strings, and so on. The random number may be one or more of letters, numbers, special symbols, and the like.

进一步地，终端设备可以获取自身的标识信息，并可使用预先存储的云端服务器的第一公钥对得到的第一随机数和标识信息进行加密操作，以生成第一密文。Further, the terminal device may obtain its own identification information, and may perform an encryption operation on the obtained first random number and the identification information by using the first public key of the cloud server that is stored in advance to generate the first ciphertext.

其中，标识信息可以是MAC(Media Access Control，媒体访问控制)地址，也可以是IMEI(International Mobile Equipment Identity，国际移动设备身份码)，还可以是其他的设备标识信息，可以根据实际应用需要进行选择设置。The identifier information may be a MAC (Media Access Control) address, or may be an International Mobile Equipment Identity (IMEI), or may be other device identification information, and may be performed according to actual application requirements. Select settings.

其中，第一公钥是与云端服务器预先约定设置的可以对明文进行加密的密钥。The first public key is a key that is pre-agreed with the cloud server and can encrypt the plaintext.

举例而言，云端服务器可预先使用非对称算法生成一对永久的第一私钥和第一公钥对，并存储在云端服务器上，同时云端服务器会将第一公钥发送给终端设备上。从而在终端设备向云端服务器发起建立连接请求时，云端服务器能够根第一私钥验证终端设备的身份，以保证非法终端设备与云端服务器建立连接，进一步提高数据传输的安全性。For example, the cloud server may pre-generate a pair of permanent first private key and first public key pair by using an asymmetric algorithm, and store it on the cloud server, and the cloud server sends the first public key to the terminal device. Therefore, when the terminal device initiates the connection establishment request to the cloud server, the cloud server can verify the identity of the terminal device by using the first private key to ensure that the illegal terminal device establishes a connection with the cloud server, thereby further improving the security of data transmission.

步骤120，向云端服务器发送密钥协商请求，其中，密钥协商请求包括：第一密文和终端设备的第二公钥，以便云端服务器应用第一公钥解密第一密文后，根据标识信息和第二公钥验证终端设备的合法性。Step 120: Send a key negotiation request to the cloud server, where the key negotiation request includes: the first ciphertext and the second public key of the terminal device, so that the cloud server applies the first public key to decrypt the first ciphertext, according to the identifier. The information and the second public key verify the legitimacy of the terminal device.

具体地，终端设备在向云端服务器发送包括第一密文和终端设备的第二公钥的密钥协商请求后，云端服务器可以应用第一私钥解密第一密文后，得到第一随机数和标识信息。Specifically, after the terminal device sends the key negotiation request including the first ciphertext and the second public key of the terminal device to the cloud server, the cloud server may use the first private key to decrypt the first ciphertext to obtain the first random number. And identification information.

其中，当标识信息是终端设备的MAC地址时，通过同时查询许可数据库，以确认许可服务器是否已经生成MAC和第二公钥，从而根据MAC和第二公钥验证终端设备的合法性。Wherein, when the identification information is the MAC address of the terminal device, the validity of the terminal device is verified according to the MAC and the second public key by checking the license database at the same time to confirm whether the license server has generated the MAC and the second public key.

或者是，密钥协商请求中还包括第一密文的哈希值，以便云端服务器应用第一公钥解密第一密文后，根据MAC地址、哈希值和第二公钥验证终端设备的合法性。Alternatively, the key negotiation request further includes a hash value of the first ciphertext, so that the cloud server applies the first public key to decrypt the first ciphertext, and then verifies the terminal device according to the MAC address, the hash value, and the second public key. legality.

需要说明的是，如果应用第一私钥解密第一密文成功，进行后续验证，如果应用第一公钥解密第一密文失败，云端服务器可以将该终端设备作为非法终端设备，不再进行后续验证。It should be noted that, if the first private key is used to decrypt the first ciphertext successfully, and subsequent verification is performed, if the first public key is used to decrypt the first ciphertext, the cloud server may use the terminal device as an illegal terminal device, and no longer perform the process. Subsequent verification.

步骤130，接收云端服务器验证终端设备合法后，应用第二公钥对会话密钥加密后发送的包括第二密文的密钥协商响应，其中，会话密钥包括第一随机数。Step 130: After receiving the cloud server to verify that the terminal device is legal, the second public key is used to encrypt the session key and then send a key agreement response including the second ciphertext, where the session key includes the first random number.

具体地，在对第一密文解密成功，并得到第一密文的明文信息之后，云端服务器使用接收到的第二公钥对该包括第一随机数的会话秘钥进行加密操作得到第二密文，然后将第二密文发送给终端设备。Specifically, after the first ciphertext is successfully decrypted, and the plaintext information of the first ciphertext is obtained, the cloud server uses the received second public key to encrypt the session key including the first random number to obtain a second operation. The ciphertext is then sent to the terminal device.

为了进一步提高数据传输的安全性，可以在对第一密文解密成功，并得到第一密文的明文信息之后，云端服务器还可生成一个第二随机数，将第一随机数和第二随机数进行拼接，得到拼接数据，并使用接收到的第二公钥对该拼接数据进行加密操作得到第二密文，然后将第二密文发送给终端设备。也就是说，第二密文还包括云端服务器生成的第二随机数。In order to further improve the security of the data transmission, after the first ciphertext is successfully decrypted and the plaintext information of the first ciphertext is obtained, the cloud server may further generate a second random number, the first random number and the second random number. The number is spliced to obtain spliced data, and the spliced data is encrypted by using the received second public key to obtain a second ciphertext. The second ciphertext is then sent to the terminal device. That is to say, the second ciphertext further includes a second random number generated by the cloud server.

需要说明的是，在会话密钥中必须包含第一随机数，另外为了进一步提高安全性加入第二随机数或者别的数据可以根据需要选择设置。It should be noted that the first random number must be included in the session key, and the second random number or other data may be added to further improve security.

步骤140，应用第二公钥对第二密文进行解密，如果获得第一随机数，则应用会话密钥对预先与云端服务器协商的第一字符串进行加密，向云端服务器发送包括第三密文的密钥确认响应，以供云端服务器应用会话密钥对第三密文进行解密处理，并根据解密结果中是否包含第一字符串确定密钥协商是否成功。Step 140: The second public key is used to decrypt the second ciphertext. If the first random number is obtained, the session key is used to encrypt the first character string negotiated in advance with the cloud server, and the third server is sent to the cloud server. The key confirmation response of the file is used for decrypting the third ciphertext by the cloud server application session key, and determining whether the key negotiation is successful according to whether the first string is included in the decryption result.

具体地，当终端设备接收到第二密文后，使用终端设备的第二私钥对其进行解密操作，在解密成功后，可根据生成的第一随机数与解密得到的明文信息进行比对，如果比对结果中包含有第一随机数，则终端设备确认云端服务器通过身份验证。Specifically, after receiving the second ciphertext, the terminal device decrypts the second private key of the terminal device, and after the decryption succeeds, compares the generated first random number with the decrypted plaintext information. If the comparison result includes the first random number, the terminal device confirms that the cloud server passes the authentication.

进一步地，当确定云端服务器通过身份认证之后，应用会话密钥对预先与云端服务器协商的第一字符串进行加密，向云端服务器发送包括第三密文的密钥确认响应，以供云端服务器应用会话密钥对第三密文进行解密处理，并根据解密结果中是否包含第一字符串确定密钥协商是否成功。Further, after determining that the cloud server passes the identity authentication, the application session key encrypts the first character string negotiated in advance with the cloud server, and sends a key confirmation response including the third ciphertext to the cloud server for the cloud server application. The session key decrypts the third ciphertext, and determines whether the key negotiation is successful according to whether the first string is included in the decryption result.

其中，应用会话密钥对预先与云端服务器协商的第一字符串进行加密可以理解为首先按照预设周期通过随机数发生器生成预设长度的随机数。The encrypting the first character string negotiated in advance with the cloud server by using the session key may be understood as firstly generating a random number of a preset length by using a random number generator according to a preset period.

进一步地，将随机数与第一字符串进行拼接处理生成第二字符串。Further, the random number is spliced with the first character string to generate a second character string.

进一步地，应用会话密钥对第二字符串进行加密，向云端服务器发送包括第三密文的密钥确认响应，以供云端服务器应用会话密钥对第三密文进行解密处理，并根据解密结果中是否包含第一字符串确定密钥协商是否成功。Further, the application session key encrypts the second character string, and sends a key confirmation response including the third ciphertext to the cloud server, so that the cloud server applies the session key to decrypt the third ciphertext, and decrypts according to the decryption process. Whether the result contains the first string determines whether the key negotiation is successful.

其中，预设周期可以根据需要进行设置，例如10分钟、20分钟等。The preset period can be set as needed, for example, 10 minutes, 20 minutes, and the like.

其中，预设长度可以根据需要进行设置，例如5个字符串、10个字符串等。The preset length can be set as needed, for example, 5 strings, 10 strings, and the like.

其中，随机数可以是字母、数字和特殊符号等中的一种或者多种。The random number may be one or more of letters, numbers, special symbols, and the like.

需要说明的是，拼接处理可以理解为“随机数+第一字符串”、也可以理解为“第一字符串+随机数”、还可以理解为随机数任意插入第一字符串的各个字符之间等。It should be noted that the splicing process can be understood as “random number + first character string”, and can also be understood as “first character string + random number”, and can also be understood as random characters arbitrarily inserted into each character of the first character string. Wait.

具体地，可以通过例如MD5加密算法、DES加密算法和RSA加密算法等，应用与云端服务器预先协商的会话密钥对第二字符串进行加密得到的结果作为第三密文。Specifically, the result of encrypting the second character string by using a session key pre-negotiated with the cloud server may be used as the third ciphertext by, for example, an MD5 encryption algorithm, a DES encryption algorithm, an RSA encryption algorithm, or the like.

进一步，将第三密文发送给云端服务器，云端服务器会利用相应的解密Further, the third ciphertext is sent to the cloud server, and the cloud server uses the corresponding decryption.

算法，应用与终端设备预先协商的会话密钥对第三密文进行解密处理。The algorithm performs decryption processing on the third ciphertext by using a session key pre-negotiated with the terminal device.

进一步地，判断解密结果中是否包含第一字符串以确定终端设备与服务器协商是否成功。 Further, it is determined whether the first character string is included in the decryption result to determine whether the terminal device negotiates with the server successfully.

图2是根据本申请另一个实施例的密钥协商方法的流程图。2 is a flow chart of a method of key agreement in accordance with another embodiment of the present application.

如图2所示，该密钥协商方法包括：As shown in FIG. 2, the key negotiation method includes:

步骤210，接收终端设备发送的密钥协商请求，其中，密钥协商请求包括：第一密文和终端设备的第二公钥。Step 210: Receive a key negotiation request sent by the terminal device, where the key negotiation request includes: a first ciphertext and a second public key of the terminal device.

步骤220，应用云端服务器的第一私钥解密第一密文获取第一随机数和终端设备的标识信息，根据标识信息和第二公钥查询预存的许可数据库验证终端设备的合法性。Step 220: The first private key of the cloud server is used to decrypt the first ciphertext to obtain the first random number and the identification information of the terminal device, and the pre-stored license database is queried according to the identifier information and the second public key to verify the legality of the terminal device.

具体地，云端服务器接收终端设备发送的密钥协商请求后，云端服务器可以应用第一私钥解密第一密文后，得到第一随机数和终端设备的标识信息。Specifically, after the cloud server receives the key negotiation request sent by the terminal device, the cloud server may use the first private key to decrypt the first ciphertext, and obtain the first random number and the identification information of the terminal device.

需要说明的是，标识信息的具体说明请参见步骤110，此处不再详述。For details of the identification information, refer to step 110, which is not described in detail here.

其中，可以通过同时查询许可数据库，以确认许可服务器是否已经生成MAC和第二公钥，从而根据MAC和第二公钥验证终端设备的合法性。Wherein, the validity of the terminal device can be verified according to the MAC and the second public key by simultaneously querying the license database to confirm whether the license server has generated the MAC and the second public key.

步骤230，如果许可数据库包括标识信息和第二公钥，则应用第二公钥对会话密钥加密，向终端设备发送包括第二密文的密钥协商响应，其中，会话密钥包括第一随机数。Step 230: If the license database includes the identifier information and the second public key, encrypt the session key by applying the second public key, and send a key agreement response including the second ciphertext to the terminal device, where the session key includes the first random number.

步骤240，接收终端设备应用第二私钥解密第二密文获取第一随机数后发送的包括第三密文的密钥确认响应，应用会话密钥解密第三密文获取解密结果。Step 240: The receiving terminal device applies a second private key to decrypt the second ciphertext to obtain a key acknowledgment response including the third ciphertext after the first random number is obtained, and decrypts the third ciphertext by using the session key to obtain the decryption result.

具体地，许可数据库包括标识信息和第二公钥，使用接收到的第二公钥对该包括第一随机数的会话秘钥进行加密操作得到第二密文，然后将第二密文发送给终端设备。Specifically, the license database includes the identifier information and the second public key, and the session key including the first random number is encrypted by using the received second public key to obtain a second ciphertext, and then the second ciphertext is sent to Terminal Equipment.

其中，为了进一步提高数据传输的安全性，可以生成第二随机数，将第二随机数与第一随机数进行拼接生成会话密钥，应用第二公钥对所述会话密钥加密。In order to further improve the security of data transmission, a second random number may be generated, the second random number is spliced with the first random number to generate a session key, and the session key is encrypted by applying a second public key.

进一步地，云端服务器向终端设备发送包括第二密文的密钥协商响应。由此，接收终端设备应用第二私钥解密第二密文获取第一随机数后发送的包括第三密文的密钥确认响应，应用会话密钥解密第三密文获取解密结果。Further, the cloud server sends a key agreement response including the second ciphertext to the terminal device. Therefore, the receiving terminal device uses the second private key to decrypt the second ciphertext to obtain the key acknowledgment response including the third ciphertext after the first random number is obtained, and decrypts the third ciphertext by using the session key to obtain the decrypted result.

步骤250，检测解密结果中是否包含与终端设备预先协商的第一字符串确定密钥协商是否成功。 Step 250: Detect whether the decryption result includes whether the first string determined in advance with the terminal device determines whether the key negotiation is successful.

具体地，将第三密文发送给云端服务器，云端服务器会利用相应的解密Specifically, the third ciphertext is sent to the cloud server, and the cloud server uses the corresponding decryption.

进一步地，判断解密结果中是否包含第一字符串以确定终端设备与服务器协商是否成功。Further, it is determined whether the first character string is included in the decryption result to determine whether the terminal device negotiates with the server successfully.

需要说明的是，在检测获知解密结果中包含第一字符串时应用与终端设备协商的密钥信息对交互信息进行加密或解密处理。即在密钥协商结束以后，可以利用与终端设备协商的密钥信息对交互信息进行处理，可以是加密、解密等一种或者多种。It should be noted that, when detecting that the decrypted result includes the first character string, the key information that is negotiated with the terminal device is applied to encrypt or decrypt the interaction information. That is, after the key negotiation ends, the interaction information may be processed by using the key information negotiated with the terminal device, which may be one or more of encryption and decryption.

本申请实施例的密钥协商方法，接收终端设备发送的加密的第一密文，以并对其进行解密再根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The key negotiation method in the embodiment of the present application receives the encrypted first ciphertext sent by the terminal device, decrypts the ciphertext, and then verifies the legality of the terminal device according to the identifier information and the second public key, and performs data decryption. Once again, the encryption is simultaneously sent to the terminal device, and then the terminal device decrypts the second ciphertext after it receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

为了本领域人员更加清楚上述实施过程，结合例子说明如下：In order to make the above implementation process more clear to those skilled in the art, the following examples are described as follows:

图3是根据本申请一个实施例的密钥协商方法的示意图。FIG. 3 is a schematic diagram of a key agreement method according to an embodiment of the present application.

如图3所示，智能终端可通过无线连接(WIFI、蓝牙、ZigBee等)的方式向云端服务器发送密钥协商请求时，其中，该密钥协商请求包括第一密文和第二公钥。As shown in FIG. 3, the smart terminal can send a key negotiation request to the cloud server by means of a wireless connection (WIFI, Bluetooth, ZigBee, etc.), wherein the key negotiation request includes the first ciphertext and the second public key.

其中，该第一密文为使用云端服务器第一公钥对第一随机数R1和终端设备的MAC地址进行加密得到的。在云端服务器接收到该密钥协商请求之后，可对该密钥协商请求进行解密操作以获得相应的明文信息，即第一随机数R1、终端设备的MAC地址和终端设备的第二公钥。The first ciphertext is obtained by encrypting the first random number R1 and the MAC address of the terminal device by using the first public key of the cloud server. After the cloud server receives the key negotiation request, the key negotiation request may be decrypted to obtain corresponding plaintext information, that is, the first random number R1, the MAC address of the terminal device, and the second public key of the terminal device.

另外，云端服务器还可以生成一个第二随机数R2，然后通过使用第二公钥对获得的第一随机数R1和第二随机数R2进行加密，得到第二密文，并发送至终端设备。In addition, the cloud server may further generate a second random number R2, and then encrypt the first random number R1 and the second random number R2 obtained by using the second public key to obtain a second ciphertext, and send the second ciphertext to the terminal device.

进一步地，终端设备在接收到第二密文之后，可使用第二私钥对第二密文进行解密，并在解密成功后，向云端服务器发送加密的认证通过信息，其中发送的认证通过信息可以是根据第一随机数R1和第二随机数R2对预先设置的确认信息(如图3中的“OK”等)进行加密生成的。Further, after receiving the second ciphertext, the terminal device may use the second private key to decrypt the second ciphertext, and after the decryption succeeds, send the encrypted authentication pass information to the cloud server, where the authentication pass information is sent. It may be that the pre-set confirmation information ("OK" or the like in FIG. 3) is encrypted and generated based on the first random number R1 and the second random number R2.

进一步地，云端服务器接收到该认证通过信息之后会对该信息进行解密，以获得预先设置的字符信息，进而根据认证通过信息建立安全的通信连接。Further, after receiving the authentication pass information, the cloud server decrypts the information to obtain pre-set character information, and then establishes a secure communication connection according to the authentication pass information.

本申请实施例的密钥协商方法，通过终端设备将加密的第一密文发送至云端服务器，以通过云端服务器对其进行解密并根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。In the key negotiation method of the embodiment of the present application, the encrypted first ciphertext is sent to the cloud server by the terminal device, and is decrypted by the cloud server, and the legality of the terminal device is verified according to the identifier information and the second public key, and The decrypted data is encrypted again, sent to the terminal device, and then decrypted after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity of the terminal device and the cloud server can be completed. Proof and establish a reliable and secure connection, which reduces costs, which improves the security and efficiency of data transmission.

为实现上述目的，本申请还提出一种密钥协商装置。To achieve the above object, the present application also proposes a key agreement apparatus.

图4是根据本申请一个实施例的密钥协商装置的结构示意图。FIG. 4 is a schematic structural diagram of a key agreement apparatus according to an embodiment of the present application.

如图4所示，该密钥协商装置可包括：加密模块41、发送模块42、响应模块43和解密模块44。As shown in FIG. 4, the key agreement apparatus may include an encryption module 41, a sending module 42, a response module 43, and a decryption module 44.

其中，加密模块41用于生成第一随机数，应用云端服务器的第一公钥对第一随机数和终端设备的标识信息进行加密生成第一密文。The cryptographic module 41 is configured to generate a first random number, and apply the first public key of the cloud server to encrypt the first random number and the identification information of the terminal device to generate the first ciphertext.

发送模块42用于向云端服务器发送密钥协商请求，其中，密钥协商请求包括：第一密文和终端设备的第二公钥，以便云端服务器应用第一私钥解密第一密文后，根据标识信息和第二公钥验证终端设备的合法性。The sending module 42 is configured to send a key negotiation request to the cloud server, where the key negotiation request includes: the first ciphertext and the second public key of the terminal device, so that the cloud server applies the first private key to decrypt the first ciphertext, The validity of the terminal device is verified according to the identification information and the second public key.

响应模块43用于接收云端服务器验证终端设备合法后，应用第二公钥对会话密钥加密后发送的包括第二密文的密钥协商响应，其中，会话密钥包括第一随机数。The response module 43 is configured to receive a key agreement response that includes the second ciphertext after the cloud server verifies that the terminal device is legal, and the second public key is used to encrypt the session key, where the session key includes the first random number.

解密模块44用于应用第二私钥对第二密文进行解密，在获得第一随机数时，应用会话密钥对预先与云端服务器协商的第一字符串进行加密，向云端服务器发送包括第三密文的密钥确认响应，以供云端服务器应用会话密钥对第三密文进行解密处理，并根据解密结果中是否包含第一字符串确定密钥协商是否成功。The decryption module 44 is configured to use the second private key to decrypt the second ciphertext. When the first random number is obtained, the application session key encrypts the first string negotiated in advance with the cloud server, and sends the first string to the cloud server. The key confirmation response of the third ciphertext is used for decrypting the third ciphertext by the cloud server application session key, and determining whether the key negotiation is successful according to whether the first string is included in the decryption result.

其中，在本申请的一个实施例中，标识信息为终端设备的MAC地址，密钥协商请求中还包括：第一密文的哈希值，以便云端服务器应用第一私钥解密第一密文后，根据MAC地址、哈希值和第二公钥验证终端设备的合法性。In an embodiment of the present application, the identifier information is a MAC address of the terminal device, and the key negotiation request further includes: a hash value of the first ciphertext, so that the cloud server applies the first private key to decrypt the first ciphertext. After that, the validity of the terminal device is verified according to the MAC address, the hash value, and the second public key.

其中，在本申请的一个实施例中，解密模块44用于按照预设周期通过随机数发生器生成预设长度的随机数，将随机数与第一字符串进行拼接处理生成第二字符串，应用会话密钥对第二字符串进行加密，向云端服务器发送包括第三密文的密钥确认响应，以供云端服务器应用会话密钥对第三密文进行解密处理，并根据解密结果中是否包含第一字符串确定密钥协商是否成功。In an embodiment of the present application, the decrypting module 44 is configured to generate a random number of a preset length by using a random number generator according to a preset period, and perform a splicing process on the random number and the first character string to generate a second character string. Encrypting the second character string by using the session key, and sending a key confirmation response including the third ciphertext to the cloud server, so that the cloud server applies the session key to decrypt the third ciphertext, and according to whether the decryption result is The first string is included to determine if the key negotiation is successful.

本发明实施例提供的密钥协商装置与上述第一方面实施例提供的密钥协商方法相对应，因此在前述密钥协商方法的实施方式也适用于本实施例提供的密钥协商装置，在本实施例中不再详细描述。The key agreement device provided by the embodiment of the present invention corresponds to the key agreement method provided by the foregoing first embodiment. Therefore, the implementation manner of the foregoing key negotiation method is also applicable to the key agreement device provided in this embodiment. This embodiment will not be described in detail.

本申请实施例的密钥协商装置，通过终端设备将加密的第一密文发送至云端服务器，以通过云端服务器对其进行解密并根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The key agreement apparatus of the embodiment of the present invention sends the encrypted first ciphertext to the cloud server through the terminal device, decrypts the cloud file through the cloud server, and verifies the legality of the terminal device according to the identifier information and the second public key, and The decrypted data is encrypted again, sent to the terminal device, and then decrypted after the terminal device receives the second ciphertext to verify the identity. Thereby, the two-way identity of the terminal device and the cloud server can be completed. Proof and establish a reliable and secure connection, which reduces costs, which improves the security and efficiency of data transmission.

如图5所示，该密钥协商装置可包括：接收模块51、查询模块52、第一处理模块53、第二处理模块54和检测模块55。As shown in FIG. 5, the key agreement apparatus may include: a receiving module 51, a querying module 52, a first processing module 53, a second processing module 54, and a detecting module 55.

接收模块51用于接收终端设备发送的密钥协商请求，其中，密钥协商请求包括：第一密文和终端设备的第二公钥。The receiving module 51 is configured to receive a key negotiation request sent by the terminal device, where the key negotiation request includes: a first ciphertext and a second public key of the terminal device.

查询模块52用于应用云端服务器的第一私钥解密第一密文获取第一随机数和终端设备的标识信息，根据标识信息和第二公钥查询预存的许可数据库验证终端设备的合法性。The query module 52 is configured to use the first private key of the cloud server to decrypt the first ciphertext to obtain the first random number and the identification information of the terminal device, and query the pre-stored license database according to the identifier information and the second public key to verify the legality of the terminal device.

第一处理模块53用于在许可数据库包括标识信息和第二公钥时，应用第二公钥对会话密钥加密，向终端设备发送包括第二密文的密钥协商响应，其中，会话密钥包括第一随机数。The first processing module 53 is configured to: when the license database includes the identifier information and the second public key, apply the second public key to encrypt the session key, and send a key agreement response including the second ciphertext to the terminal device, where the session is dense The key includes a first random number.

第二处理模块54用于接收终端设备应用第二私钥解密第二密文获取第一随机数后发送的包括第三密文的密钥确认响应，应用会话密钥解密第三密文获取解密结果。The second processing module 54 is configured to receive a key confirmation response including a third ciphertext sent by the terminal device after the second private cipher is decrypted by the second private cipher, and decrypt the third ciphertext by using the session key to obtain the decryption. result.

检测模块55用于检测解密结果中是否包含与终端设备预先协商的第一字符串确定密钥协商是否成功。The detecting module 55 is configured to detect whether the decryption result includes whether the first string determined in advance with the terminal device determines whether the key negotiation is successful.

其中，在本申请的一个实施例中，第一处理模块53用于生成第二随机数，将第二随机数与第一随机数进行拼接生成会话密钥；应用第二公钥对会话密钥加密。In an embodiment of the present application, the first processing module 53 is configured to generate a second random number, splicing the second random number with the first random number to generate a session key, and applying the second public key to the session key. encryption.

本发明实施例提供的密钥协商装置与上述第二方面实施例提供的密钥协商方法相对应，因此在前述密钥协商方法的实施方式也适用于本实施例提供的密钥协商装置，在本实施例中不再详细描述。The key agreement device provided by the embodiment of the present invention corresponds to the key negotiation method provided in the foregoing second embodiment. Therefore, the implementation of the foregoing key negotiation method is also applicable to the key agreement device provided in this embodiment. This embodiment will not be described in detail.

本申请实施例的密钥协商装置，接收终端设备发送的加密的第一密文，以并对其进行解密再根据标识信息和第二公钥验证终端设备的合法性，并对解密得到数据进行再一次的加密，同时发送给终端设备，然后在终端设备接收到该第二密文之后对其进行解密，以验证身份。由此，可以完成终端设备和云端服务器的双向身份认证，并建立可靠性的安全连接，降低了成本，其提高了数据传输的安全性且效率高。The key agreement apparatus of the embodiment of the present invention receives the encrypted first ciphertext sent by the terminal device, decrypts the ciphertext, and then verifies the legality of the terminal device according to the identifier information and the second public key, and performs data decryption. Once again, the encryption is simultaneously sent to the terminal device, and then the terminal device decrypts the second ciphertext after it receives the second ciphertext to verify the identity. Thereby, the two-way identity authentication of the terminal device and the cloud server can be completed, and a reliable and secure connection is established, which reduces the cost, which improves the security of the data transmission and is highly efficient.

在本说明书的描述中，参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本申请的至少一个实施例或示例中。在本说明书中，对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且，描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外，在不相互矛盾的情况下，本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。 In the description of the present specification, the description with reference to the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the application. In the present specification, the schematic representation of the above terms is not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples. In addition, various embodiments or examples described in the specification, as well as features of various embodiments or examples, may be combined and combined.

尽管上面已经示出和描述了本申请的实施例，可以理解的是，上述实施例是示例性的，不能理解为对本申请的限制，本领域的普通技术人员在本申请的范围内可以对上述实施例进行变化、修改、替换和变型。 While the embodiments of the present application have been shown and described above, it is understood that the above-described embodiments are illustrative and are not to be construed as limiting the scope of the present application. The embodiments are subject to variations, modifications, substitutions and variations.

Claims

A key negotiation method, comprising the steps of:

Generating a first random number, and applying the first public key of the cloud server to encrypt the first random number and the identification information of the terminal device to generate a first ciphertext;

Sending a key negotiation request to the cloud server, where the key negotiation request includes: the first ciphertext and a second public key of the terminal device, so that the cloud server applies the first private key After decrypting the first ciphertext, verifying the legality of the terminal device according to the identifier information and the second public key;

Receiving, by the cloud server, the key agreement response including the second ciphertext sent by the second public key after the session key is encrypted, wherein the session key includes the first a random number;

Applying the second private key to decrypt the second ciphertext, and if the first random number is obtained, applying the session key to encrypt the first character string negotiated in advance with the cloud server, The cloud server sends a key confirmation response including the third ciphertext, so that the cloud server applies the session key to decrypt the third ciphertext, and according to whether the decryption result includes the The first string determines if the key negotiation was successful.

The method according to claim 1, wherein the identification information is a MAC address of the terminal device;

The key negotiation request further includes: a hash value of the first ciphertext, so that the cloud server applies the first private key to decrypt the first ciphertext, according to the MAC address, The hash value and the second public key verify the legitimacy of the terminal device.

The method of claim 1, wherein the applying the session key to encrypt a first character string negotiated in advance with the cloud server comprises:

Generating a random number of a preset length by a random number generator according to a preset period;

Splicing the random number with the first character string to generate a second character string;

Encrypting the second character string by using the session key, and sending a key confirmation response including the third ciphertext to the cloud server, where the cloud server applies the session key pair to the The third ciphertext performs decryption processing, and determines whether the key negotiation is successful according to whether the first character string is included in the decryption result.

A key negotiation method, comprising the steps of:

Receiving a key negotiation request sent by the terminal device, where the key negotiation request includes: a first ciphertext and a second public key of the terminal device;

Decrypting the first ciphertext of the cloud server to obtain the first random number and the identification information of the terminal device, and querying the pre-stored license database according to the identifier information and the second public key to verify the terminal device legality;

And if the license database includes the identifier information and the second public key, applying the second public key to encrypt the session key, and sending a key agreement response including the second ciphertext to the terminal device, where The session key includes The first random number;

Receiving a key confirmation response including the third ciphertext sent by the terminal device after the second private key is decrypted by the second private key to obtain the first ciphertext, and applying the session key to decrypt the first The third ciphertext obtains the decrypted result;

It is detected whether the decryption result includes whether the first string determined in advance with the terminal device determines whether the key negotiation is successful.

The method of claim 4, wherein the applying the second public key to encrypt the session key comprises:

Generating a second random number, and splicing the second random number with the first random number to generate a session key;

The session key is encrypted by applying the second public key.

A key agreement device, comprising:

The cryptographic module is configured to generate a first random number, and use the first public key of the cloud server to encrypt the first random number and the identification information of the terminal device to generate a first ciphertext;

a sending module, configured to send a key negotiation request to the cloud server, where the key negotiation request includes: the first ciphertext and a second public key of the terminal device, so that the cloud server application office After the first private key decrypts the first ciphertext, verifying the legality of the terminal device according to the identifier information and the second public key;

a response module, configured to receive a key agreement response that includes the second ciphertext sent by the second public key after the cloud server is authenticated by the cloud server, where the session key is encrypted. The key includes the first random number;

a decryption module, configured to apply the second private key to decrypt the second ciphertext, and when the first random number is obtained, apply the session key to a first character negotiated in advance with the cloud server The string is encrypted, and the key confirmation response including the third ciphertext is sent to the cloud server, so that the cloud server applies the session key to decrypt the third ciphertext, and according to the decryption result Whether the first string is included in the determination whether the key negotiation is successful.

The device according to claim 6, wherein the identification information is a MAC address of the terminal device;

The apparatus of claim 6 wherein said decryption module is for:

Encrypting the second character string by using the session key, and sending a key confirmation response including the third ciphertext to the cloud server, where the cloud server applies the session key pair to the Third ciphertext decryption And determining whether the key negotiation is successful according to whether the first string is included in the decryption result.

A key agreement device, comprising:

a receiving module, configured to receive a key negotiation request sent by the terminal device, where the key negotiation request includes: a first ciphertext and a second public key of the terminal device;

a query module, configured to decrypt the first ciphertext by using the first private key of the cloud server to obtain the first random number and the identification information of the terminal device, and query the pre-stored license database verification according to the identifier information and the second public key. Legality of the terminal device;

a first processing module, configured to: when the license database includes the identifier information and the second public key, apply the second public key to encrypt a session key, and send the second ciphertext to the terminal device Key negotiation response, wherein the session key includes the first random number;

a second processing module, configured to receive a key confirmation response including the third ciphertext sent by the terminal device after the second private key is decrypted by the second private key to obtain the first ciphertext, and apply the Decrypting the third ciphertext by the session key to obtain a decryption result;

And a detecting module, configured to detect whether the decryption result includes whether the first string determined in advance with the terminal device determines whether the key negotiation is successful.

The apparatus of claim 9, wherein the first processing module is configured to:

Encrypting the session key by applying the second public key

An apparatus, comprising:

One or more processors;

Memory

One or more programs, the one or more programs being stored in the memory, and when executed by the one or more processors, performing the following steps:

Applying the second private key to decrypt the second ciphertext, and if the first random number is obtained, applying the session key to encrypt the first character string negotiated in advance with the cloud server, The cloud server sends a packet a key confirmation response of the third ciphertext, wherein the cloud server applies the session key to decrypt the third ciphertext, and determines whether the first string is included in the decryption result. Whether the key negotiation was successful.

An apparatus, comprising:

One or more processors;

Memory

A non-volatile computer storage medium, characterized in that the computer storage medium stores one or more programs, when the one or more programs are executed by a device, causing the device to perform the following steps:

A non-volatile computer storage medium, characterized in that the computer storage medium stores one or A plurality of programs, when the one or more programs are executed by a device, cause the device to perform the following steps: